AGARI CYBER INTELLIGENCE DIVISION · The Agari Cyber Intelligence Division (ACID) is the only...
53
© 2019 Agari Data, Inc. AGARI CYBER INTELLIGENCE DIVISION Q3 2019 Email Fraud and Identity Deception Trends Global Insights from the Agari Identity Graph™ REPORT
Transcript of AGARI CYBER INTELLIGENCE DIVISION · The Agari Cyber Intelligence Division (ACID) is the only...
© 2019 Agari Data, Inc.
AGARI CYBERINTELLIGENCE DIVISION
Q3 2019 Email Fraud and Identity Deception TrendsGlobal Insights from the Agari Identity Graph™
REPORT
2
Q3
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Executive Summary
Data captured in the latest quarterly analysis from the Agari Cyber Intelligence Division (ACID) demonstrates that the continuing evolution of business email compromise, spear phishing, consumer-targeted brand impersonation scams, and other advanced email threats is far from linear. Instead, it’s taking on new permutations and trajectories, even reversing successful trendlines, at least temporarily, to throw off targets and maximize returns. What emerges is the picture of email-based threats that grow more dangerous, and more unpredictable, by the day.
Election 2020: Top Presidential Contenders Remain Wide Open to Email Attack With the 2020 presidential primary season rapidly taking shape, analysis from the Agari research team finds 85% of the top candidates spanning both parties continue to rely on vulnerable email accounts that put their staff at risk from the same kind of phishing attacks that helped derail Hilary Clinton’s 2016 presidential bid. As this cycle gains speed, campaigns and their ever-changing ecosystems of advisors, pollsters, and policy analysts will only make easier targets for email attacks launched by nation-states and other operatives.
But others may be burned just as bad or worse—causing potentially irreparable harm to candidacies and even to our democracy. As of June 30, ACID analysis of domain data finds that of the leading candidates polling over 1%, only four of the candidates have DMARC records established for their domains with the policy that prevents the campaign or the candidate from being impersonated in email scams targeting donors, voters, reporters, and others. If the phishing and misinformation campaigns conducted by the world’s top threat actors during the last election cycle wasn’t enough to prompt presidential candidates to take action, 2016 may prove to be just a warm-up act for the transgressions headed our way in 2020. SEE MORE
3
Q3
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Gift Cards Now the #1 BEC Cash-Out Mechanism for FraudstersWhile wire transfers have long been the primary objective in BEC scams, gift cards have become the top cash-out tactic for fraudsters. During the second quarter of 2019, 65% of all BEC attacks observed by the ACID team prompted victims to purchase and send gift cards to the attacker. And 75% of the gift cards requested by BEC hustlers belong to only five brands: Google Play, Steam Wallet, Amazon, Apple iTunes and Walmart. This approach has key benefits to con artists, as gift cards represent a ready tool for laundering the proceeds of their crimes with little to no traceability. There is a downside, however, as the money attackers can net with each gift card is significantly less than what’s possible through wire transfers. Nonetheless, the growing prevalence of gift cards in BEC attacks indicates the ROI must outweigh the negatives. SEE MORE
Employee-Reported Phishing Attacks Jump 14% as Breach Risks Mount Employee-reported phishing incidents rose 14% during the second quarter to more than 33,108 annually, according to the Q3 ACID Phishing Incident Response Survey of 175 professionals at 280 organizations with 1,000+ employees. During the same period, respondents to this quarter’s survey reported a 16% increase in the number of false positives, while the time needed to triage, investigate, and remediate rose 13% per incident. And while the average number of SOC analysts increased to 15.3 per organization, the gap between the number of analysts needed to handle these volumes grew by 22%. SEE MORE
DMARC Adoption Rates Tick Up 2%, Though 83% of Fortune 500 Still at RiskFor this report, ACID identified 7,044,371 domains with valid Domain-based Message Authentication, Reporting and Conformance (DMARC) records as part of the largest ongoing study of DMARC adoption worldwide. The United States and Germany remain leaders in the total number of domains with assigned DMARC records, but the US is still #1 in the total number of domains with records with reject policies. Overall, domains with DMARC records rose just 2% in the second quarter, leaving most of the world’s most prominent corporations at risk from email-based brand impersonation scams targeting their customers, partners, and other consumers and businesses. That includes a staggering 83% of the Fortune 500. SEE MORE
4
Q3
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Inside this ReportIn this quarterly report, we examine trends in phishing and email fraud perpetrated against businesses and their customers.
Continuing a feature first introduced in our Q2 2019 report, this edition assesses current adoption rates for both email authentication and advanced email security among top candidates seeking their parties’ nominations heading into next year’s 2020 US presidential elections. This includes analysis of which campaigns may be most vulnerable to email-based impersonation fraud that can damage their candidates’ reputations, fundraising efforts, press coverage, and even national security.
The statistics presented here reflect information captured from the following sources from April through June 2019:
• Analysis of 2020 presidential campaign email vulnerability based on DNS and MX records• Data extracted from trillions of emails analyzed by the Agari Identity Graph™• Insights from our quarterly phishing incident survey of SOC professionals at 280 companies• DMARC-carrying domains identified among 328 million+ domains crawled worldwide
The Agari Cyber Intelligence Division (ACID) is the only counterintelligence research team dedicated to worldwide BEC and spear phishing investigations, identity deception tactics, criminal group dynamics, and relevant trends behind these and other advanced email threats. Created by Agari in 2018, ACID helps to mitigate cybercriminal activity by working with law enforcement and other trusted partners.
5
Q3
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Table of Contents
Presidential Campaign Security 2020 - Deception 2020: US Presidential Candidates Remain Vulnerable 9 - Inbox Intruders: Spear Phishing Attacks May Already Be Targeting Candidates 11 - Imposter Syndrome: Most Candidates Failing to Prevent Impersonation Scams 13
Employee Phishing and Business Email Compromise Trends - Angles of Attack: Compromised Accounts Sink as Brand Impersonation Increases 17 - BEC Breakout Session: Gift Cards, Payroll Diversions Displacing Wire Transfers for Cash-Outs 19
Phishing Incident Response Trends - Incident Response Needs Increase: SOCs Left Reeling as Employee-Reported Attacks Climb 14% 28 - Employee Reporting Tools Gaining Traction: Survey Respondents Report More Reporting Options 30 - Breachonomics: Data Breach Risk Reductions from Automation Continue to Grow 35
Consumer Phishing and DMARC Trends - DMARC Adoption Snapshot: The Industry’s Largest Ongoing Study of Adoption Rates Worldwide 39 - Vendor Scorecard: How DMARC Service Providers Compare 41 - DMARC Breakout Session: Email Authentication Grows, Reject Policies Still Not Enforced 43 - Brand Indicators Adoption: BIMI Skyrockets Nearly 400% in Just Ninety Days 50
About This Report 51About the Agari Cyber Intelligence Division (ACID) 52
6
Q3
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Key Terms A Taxonomy of Advanced Email ThreatsWith rising levels of cybercrime posing a serious threat to individuals, businesses, and governments, it is vitally important to codify a consistent set of terms to describe the different challenges that characterize this threat landscape. Not every email scam is a “phishing attack,” for instance.
For more information about the Agari Threat Taxonomy, see www.agari.com/taxonomy
To address this need, ACID has established a classification system for cyber threats—a threat taxonomy—that breaks down common email-based attacks in terms of how they are carried out and what the perpetrators aim to achieve. This taxonomy will help readers understand the terms used in this report and what they mean to email security.
Because email fraud centers around identity deception—the impersonation of trusted senders—in order to con recipients, we start with the method by which the imposter impersonates the trusted sender’s email account, making it appear as if the emails the imposter is sending are originating from the trusted party.
Sender
Recipient
Objective
Classification
Imposter Authentic
Account OwnerCompromised AccountDisplay Name DeceptionLook-alike DomainSpoof
Fraud
Social Engineering
Unsolicited Email
Spam Graymail
Legitimate Email
Misconfiguration
Scattershot
URL
Targeted
ConMalware
Internal
Monetary IP/Data/Credential Theft Denial of Service
Employees
External
Contractors Partners Customers
7
Q3
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Leading Attack Modalities Generally speaking, we observe three primary ways in which cybercriminals impersonate an email account:
LOOK-ALIKE DOMAINS AND DOMAIN SPOOFING: With look-alike domains, the cybercriminal registers a domain that is very similar to the legitimate domain he or she is seeking to impersonate. Look-alike domains are distinguished from domain spoofing, in which the attacker uses the actual email address of the impersonated identity in the “From” header—for example, “Company Customer Service.” Email authentication standards such as DMARC can be used by a domain owner to prevent spoofing of the domain, but are still not adopted widely by all businesses.
DISPLAY NAME DECEPTION: This happens when the cybercriminal inserts the name of the impersonated individual or brand into the “From” field within Gmail, Yahoo, or another free cloud-based email platform. These are also known as “friendly from” attacks.
COMPROMISED ACCOUNT ATTACKS: The cybercriminal sends targeted requests from an account that’s already been compromised— assuming the identity and the actual email account of the impersonated individual or brand, which is the most dangerous threat of all.
Different types or classes of attacks will entail different elements of this taxonomy.
A business email compromise (BEC) attack, for instance, can involve an imposter who aims to impersonate a trusted individual or brand using a look-alike domain, display name deception, or in the worst cases, a compromised legitimate account, leveraging sophisticated social engineering tactics to send highly personalized attacks. Impersonated individuals may be executives within the target’s own company, or an outside vendor or partner company. A BEC attack is targeted and uses a con with no URL or attachment.
By comparison, a phishing attack may use any identity deception technique and send more broad-based messages meant to fool someone into clicking on a malicious link that captures their username and password. When attacking businesses, display name deception is typically the tactic of choice for cybercriminals seeking to impersonate the email account of a trusted individual or brand.
SenderImposter Authentic
Account OwnerCompromised AccountDisplay Name Deception
Brand / Individual
Look-alike DomainSpoof
8
Q3
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Presidential Campaign Security 2020 Protecting the United States Election From Nation-State Attacks
9
Q3
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Deception 2020 US Presidential Candidates Remain VulnerableWith the first presidential primary debates of the 2020 election cycle now behind us, nearly all candidates in both major parties remain at risk from phishing attacks against staff and email scams that impersonate their campaigns. Steps to secure the email channel should be taken now to neutralize the efforts of foreign adversaries to undermine candidates, roil public opinion, and weaken our democracy.
Just nine months before votes are cast in the earliest primary states, the incumbent, his sole Republican challenger, and all but four of the Democratic candidates remain at high risk from phishing attacks against staff, email scams impersonating their campaigns, or both.
While it may seem as if email security is something that can wait until after candidates have clenched their parties’ nominations, that may be wishful thinking. In the aftermath of successful efforts to derail Hillary Clinton’s 2016 presidential bid, the volume and ferocity of email attacks heading into the 2020 elections can only grow worse—and are likely to start earlier than most campaigns would suspect.
It has been nearly three years since Clinton campaign chairman John Podesta received a phony Gmail “account alert” containing a malicious link and resulted in a damaging leak of internal campaign emails. But nearly a full election cycle later, little has changed. While we have seen a small increase in email security over the last quarter, it appears that few candidates have the resources to implement critical defenses for the email channel.
The information here was collected on July 30, 2019. For an up-to-date status on top candidates, see www.agari.com/election
10
Q3
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Starting on July 11th, the Federal Election Committee (FEC) began approving requests made by email security solutions providers to implement anti-phishing solutions for campaigns and political parties at discounted prices without violating campaign finance laws. Agari, for instance, is offering campaigns its services at low or no charge in order to ensure that US citizens determine the next president of the United States—not cybercriminals.
Campaigns might want to jump on such offers now. As of June 30, only one candidate has implemented best practices to secure her campaign against email threats targeting campaign staff, donors, and the public. Just three of the remaining twelve top contenders have implemented email authentication to protect against email-based impersonation, and only one has deployed advanced email security solutions to protect campaigns from attacks that can lead to breaches.
11
Q3
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Inbox Intruders Spear Phishing Attacks May Already Be Targeting CandidatesAccording to ACID analysis, 85% of today’s major presidential campaigns continue to rely solely on the easily-evaded security controls built into their email platforms—predominantly Microsoft Office 365 and Google Suite.
While these platform-native security features provide solid protection against malware and malicious links, they don’t stand a chance against today’s most advanced email attack methodologies. In addition to sending malicious links like the kind that fooled John Podesta in 2016, today’s threat actors use sophisticated social engineering tactics to send highly-personalized email messages designed to manipulate recipients into revealing login credentials or other sensitive information by making it appear as if the message was sent by a known and trusted source.
Only 15% of Candidates Have Implemented Advanced Email SecurityDespite the relative ease of implementing advanced email protection, the Agari Cyber Intelligence Division finds that only two of the top thirteen US presidential candidates with an email-receiving domain or campaign website have implemented a solution to stop advanced threats.
At best, that means campaign staff will hopefully avoid most of the fraudulent “Account Closure Notice,” or “Payment Past Due” alerts aimed at harvesting email logins that give hackers access to archived and ongoing email threads. But how many will recognize email attacks with subject lines reading, “Re:,” or “Quick Request,” or “Following up” from a senior campaign official, an outside polling firm, or a reporter? Or perhaps even from the candidate themselves asking the recipient to pay an outstanding invoice or forward confidential polling data?
Thankfully, these kinds of business email compromise scams, spear phishing attacks, and other email threats can be blocked by adding advanced email security solutions to Gmail or O365.
While most of the US presidential candidates have yet to take such simple steps to protect their campaigns, foreign and domestic adversaries are not going to wait to gain the foothold they need to cause maximum damage in the heat of the general election, no matter who the final nominees may be.
>1% Polling
15% Third-Party Advanced Email Security Provider
78% Google7% Microsoft O365
12
Q3
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Warren and Weld Lead in Advanced Email SecurityOf the candidates polling over 1% according to tracking data from Real Clear Politics, Massachusetts Senator Elizabeth Warren (D) and Former Massachusetts Governor William Weld (R) continue to be the only candidates to put an advanced security solution in place to protect their staff from incoming email attacks that could crush their presidential ambitions.
The threat cannot be overstated. Over the last year, there has been a 250% increase in phishing attacks targeting organizations operating within cloud-based email environments. And with substantial investments in security, more than 90% of all data breaches start with a well-targeted malicious email. According to the Verizon’s 2019 Data Breach Investigations Report, 36% of external attackers are now affiliated with nation-states, statistically even with organized crime.
Given recent history, it’s safe to assume that cyberattacks against 2020 US presidential candidates will be more aggressive than we’ve seen before, precisely because these attackers continue to move away from content-based techniques and toward identity-based attacks, which many cybersecurity technologies cannot detect.
It’s likely that without advanced email security solutions, the continuously evolving ecosystems of advisors, policy analysts, pollsters, media and advertising experts, and other members of a candidate’s inner circle will be seen as sitting ducks by world-class hackers and others seeking to undermine their campaigns, the 2020 elections, and US democracy itself.
And that’s just the inbound threats. Then there are the other forms of email attacks candidates will face in the year ahead.
13
Q3
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Imposter Syndrome Most Candidates Failing to Prevent Impersonation ScamsUS congressional and presidential candidates are also at risk of their campaigns being impersonated in phishing attacks targeting not their staff, but rather existing and prospective donors, the press, voters, and more. Email authentication with DMARC is the key to stopping it.
During the second quarter of 2019, the campaigns of New Jersey Senator Cory Booker, Hawaii Congresswoman Tulsi Gabbard, and Former Vice President Joe Biden followed Massachusetts Senator Elizabeth Warren’s lead in implementing email authentication using DMARC.
The DMARC protocol helps ensure that only authorized parties can send emails on a candidate’s or campaign’s behalf—thus preventing them from being impersonated in phishing attacks targeting their most important constituencies.
In 2017, the US Department of Homeland Security issued Binding Operational Directive (BOD) 18-01, which requires all executive branch agencies to adopt DMARC with its top enforcement policy of “reject” in order to provide the strongest protection against impersonation-based attacks targeting other agencies, government officials, citizens, media outlets, foreign allies, US citizens and more. Yet while the US executive branch now ranks among the leading industry verticals in DMARC adoption, no such directive has been set for the legislative and judicial branches, much less for campaigns for federal office. Given the stakes, DHS may want to rethink that.
>1% Polling
69% Not Protected
31% Protected
14
Q3
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
A Masquerade Most SinisterEven with the progress seen during the second quarter, nine of the thirteen candidates for president are not properly utilizing the reject policy within DMARC, leaving them and their donors, voters, and the foreign and domestic press open to phishing attacks and disinformation campaigns.
Factor in emerging “Deep Fake” technologies that enable the production of videos that make a candidate appear to say anything the video creators want, and the threat level could escalate quickly. What kinds of fraudulent statements or mischaracterized policy positions could be attributed to candidates and emailed to rival campaigns, the media, key voters, and others? What if there’s even this kind of video “proof” to substantiate the claims? The damage is likely to spread faster than news media fact checkers can alert voters to the con.
For that matter, what happens when a candidate or campaign is successfully impersonated in fundraising appeals, defrauding existing and prospective donors out of money? What happens when the negative publicity and bot-driven social media maelstrom erupt, making these and other constituents wary of opening a campaign’s legitimate email messages? Today, email marketing has an average $38 ROI for every $1 spent. Failure to protect this all-important fundraising channel can be an instant campaign killer.
15
Q3
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
The Incumbent, Key Challengers Vulnerable to ImpostersOut of all candidates with polling averages above 1%, eight have DMARC records assigned to their domain. These include:
• Former Vice President Joe Biden (D)• New Jersey Senator Cory Booker (D)• South Bend, Indiana Mayor Pete Buttigieg (D)• Former Secretary of Housing and Urban Development Julian Castro (D)• Hawaii Congresswoman Tulsi Gabbard (D)• Minnesota Senator Amy Klobuchar (D) • Incumbent President Donald J. Trump (R) • Massachusetts Senator Elizabeth Warren (D)
But only four—Biden, Booker, Gabbard, and Warren—have assigned DMARC records with a p=reject policy to stop unauthenticated emails from being delivered.
Due to the fact that a DMARC record does not prevent illegitimate mail from entering the inbox until the policy is set to p=reject, every other major candidate remains at risk of email-based impersonation—including the sitting President of the United Sates.
It is advised that voters, journalists, donors, and others should be wary of any email purporting to come from any candidate domains other than those of Biden, Booker, Gabbard, and Warren. No other candidates have implemented the protocols necessary to keep email scams bearing their names from hitting inboxes. We should all hope this situation is mitigated as quickly as possible—before one of these unprotected candidates becomes a cautionary tale that damages trust in the electoral process.
16
Q3
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Employee Phishing and Business Email Compromise Trends
KE
Y F
IND
ING
S
In a large increase, 48% of all advanced email attacks involved brand impersonation this quarter.
Compromised accounts, a category that had seen double-digit growth in the previous two quarters, took a 33% plunge.
Cybercriminals are increasingly requesting gift cards in 65% of cash-out requests, supplanting wire tranfers and other methods used in previous quarters.
17
Q3
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Angles of Attack Compromised Accounts Sink as Brand Impersonation IncreasesToday, nearly 50% of all advanced email attacks involve brand impersonation—up 14% in the last three months.
24% Look-alike DomainFrom: LinkedIn <[email protected]>To: Jan Bird <[email protected]>Subject: Diana has endorsed you!
48% Display Name Deception (Brand)From: Chase Support <[email protected]>To: Tom Frost <[email protected]>Subject: Account Disabled
16% Compromised AccountFrom: Raymond Lim <[email protected]>To: Cong Ho <[email protected]>Subject: PO 382313
12% Display Name Deception (Individual)From: Patrick Peterson <Patrick Peterson [[email protected]]>To: Cong Ho <[email protected]>Subject: Follow up on Invoice Payment
Advanced Attacks
by Imposter Type
Advanced Attacks
by Imposter Type
Trendlines for phishing, business email compromise (BEC) scams, and other advanced email threats have once again shifted, as cybercriminal organizations continue to refine their methods. This summer, brand impersonations are in style and gift cards are the new money mule. The risks to businesses grow worse by the minute.
Game of Clones: Brand Identity Deceptions Account for 48% of AttacksA sudden spike in phishing attacks impersonating trusted brands is rapidly reshaping the email threat landscape. Today, 60% of phishing campaigns employing identity deception tactics use display names designed to fool recipients into believing they’re being sent from a known and trusted individual or brand. Over the last quarter however, nearly half impersonated prominent brands in the initial email—a sharp rise from 34% seen in the previous quarter. Just 12% of identity-deception attacks impersonated individuals.
18
Q3
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
While both of these deception tactics attempt to hoodwink recipients, their purpose is typically quite different. Generally speaking, malicious emails that impersonate well-known brands are associated with credentials-harvesting schemes, while phishing emails spoofing trusted individuals are largely linked to more sophisticated, socially engineering-based attacks such as BEC or executive spoof scams.
These current shifts may be temporary. One line of reasoning suggests cybercriminal organizations were in full intelligence-gathering mode this spring, gearing up for larger, more lucrative BEC attacks to come. Though that’s no certainty, it may jive with other significant changes seen during the period, including a precipitous drop in account takeover-based attacks.
Compromised Account Attacks Drop More than 30%Nearly one quarter of identity deception emails employed look-alike domains to send malicious content, the second most frequent type of deception tactic observed during the quarter. While some of these domains can be simply spoofed and sent using basic mailing tools, many are registered by phishing threat actors. The cost associated with registering a domain reduces the total possible ROI for scammers, which is likely why this tactic is not used more readily.
Of far more interest—a precipitous drop in account takeover (ATO)-based phishing attacks launched from compromised email accounts, which made up only 16% of attacks over the last three months. That’s down from 24% in the previous quarter. A legitimate email account pirated by scammers can be a highly effective launchpad for distributing phishing campaigns since these emails are sent from what is otherwise a trusted source, allowing them to more easily bypass mail filters.
The drop in the number of attacks leveraging such accounts may signify the considerable complexities of this type of scheme. Or it may reinforce the notion that cybercriminal organizations are focusing on harvesting login credentials now in order to launch future attacks from a new universe of legitimate accounts.
19
Q3
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
BEC Breakout Session Gift Cards, Payroll Diversions Displacing Wire Transfers for Cash-OutsThis quarter’s report includes a closer look at key BEC characteristics, plus the how-and-why behind dramatic shifts in laundering criminal proceeds from the costliest form of phishing attack.
65% of BEC Attacks Now Request Gift CardsWhen BEC attacks first emerged in large numbers four to five years ago, the primary objective was to persuade a target—usually an employee in Accounts Payable or Finance—to wire money to a mule account under the mistaken belief that they were paying a legitimate vendor invoice.
Considering the US Treasury Department’s Financial Crimes Enforcement Network (FinCEN) reports BEC has led to $9 billion in business losses since 2016, the wire transfer angle seems to have worked out pretty well for the perpetrators.
But while this tactic is still in the picture, only 15% of BEC attacks seen over the last quarter used it as a cash-out method. Instead, two other methods—gift cards and payroll diversions—have become the predominant requests from BEC con artists seeking to steal money.
15% Direct Transfer
65% Gift Card
20% Payroll Diversion
Type of BEC Attacks
20
Q3
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
The Gift Card Gambit: When Less is Much MoreIndeed, far and away the most frequent cash-out mechanism in BEC scams today is gift cards. Nearly two-thirds (65%) of all BEC attacks observed by the ACID team requested that the target purchase gift cards and then send them to the attacker.
Because they’re more anonymous, less reversible, and far less cumbersome than using a mule as an intermediary, gift cards have quickly emerged as the most popular cash-out option for scammers over the past year. Still, the approach does come with a downside. While gift cards afford obvious benefits to BEC scammers, one of the biggest drawbacks is that the amount of money an attacker can pilfer per attack is far less with gift cards than with wire transfers. During the past quarter, for instance, the average dollar amount for gift cards requested in BEC scams was just over $1,500.
By comparison, the average proceeds from attacks leveraging wire transfers was nearly $65,000. But don’t cry for the cybercrooks just yet. While there is a massive disparity in the amount of money that can be swiped between these two approaches, the rising volume and frequency of gift card-based BEC scams suggests the returns are well worth the effort.
BEC Attack Type Average Minimum Maximum
Wire Transfer $64,717 $5,000 $950,000
Gift Card $1,562 $200 $6,000
Amount Requested per BEC Attack Type
21
Q3
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
How Card Sharks Stack the DeckThe gift cards requested by fraudsters in BEC scams tend to share some key attributes. Over the last quarter, these attackers requested fourteen different types of gift cards. But 75% of them belonged to five brands—Google Play, Steam Wallet, Amazon, Apple iTunes, and Walmart. In our report on the cybercriminal group Scarlet Widow, we discuss this trend in more detail—including how gift cards obtained by BEC scammers are laundered through online cryptocurrency exchanges.
Example Gift Card Request Email
From
Messages
To
Subject Re: Hello
Okay, I'm in the middle of something and looking forward to surprise some of our staffs with Gift, Walmart gift cards and I want you to keep it between us pending when they get it. So, therefore, I need a Walmart Gift card of $500 face value each. I need 8 pieces) making a total amount of $4,000. you can purchase them at any Walmart wholesale store outlet close to you. I need you to get the physical card, then you scratch the back out and write each 16 digit and 4 pins numbers and email them to me asap. So quickly go to Any Walmart outlet around you and purchase them now. Can you get it done in 30 minutes to 1 hour?Awaiting your Reply. Regards,
< >
Other
Hotels.com
Apple Store
Home Depot
Target
eBay
Walmart
Apple iTunes
Amazon
Steam Wallet
Google Play
Gift Cards Requested in BEC Attacks
41%
12%9%
8%
6%
5%
5%
5%
22
Q3
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Divert Deposit, Big ReturnThe second most common form of BEC attack seen was the payroll diversion scam. These cons primarily target employees in Human Resources, and comprised one in every five BEC attacks observed in this period. The objective of these attacks is to fool someone in HR into changing the direct deposit details for an employee, usually a prominent executive, to a bank account controlled by the fraudster.
As it happens, this form of BEC is the current preferred modus operandi for the Scattered Canary criminal group. And it has steadily increased as an attack modality for other organizations over the past year, driven by the ability to use prepaid cards to obtain temporary checking accounts from which to receive diverted funds.
From
Messages
To
Subject Re: Sarah
I changed my bank and I’ll like to change my paycheck dd details, can the change be effective for the current pay date? Thanks,
< >
Example Direct Deposit Request Email
23
Q3
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
If It Is Tuesday, It Must Be BEC BEC scams share other characteristics as well. Perhaps not surprisingly given their targets, the vast majority (97%) send attacks on weekdays. What may be surprising to some is just how closely cybercriminals adhere to what are seen as best practices by legitimate email marketers. Despite sometimes conflicting research and variances between industries, a general rule of thumb is that the best day to send an email is Tuesday. During the last quarter, roughly one in every four of all BEC emails arrived on a Tuesday, with the rest tapering off Wednesday through Friday.
Up and At ‘Em: BEC Emails Are Almost Always Delivered in the AMLikewise, the conventional wisdom among many legitimate email marketers is that it’s best to send emails first thing in the morning. Sure enough, BEC scammers also tend to send their email campaigns at the start of the day, with more than half of all BEC attacks distributed between 8 AM and 12 PM, with a notable preference for 9 AM, presumably aiming to arrive just as someone is sitting down to work in the morning.
BEC Attacks per Day of Week
0%
5%
10%
15%
20%
25%
SatFriThurWedTuesMonSun
1%
22%
24%
19%
17%
15%
2%
BEC Deliveries by Day of the WeekBEC Attacks per Time of Day
0%
3%
6%
9%
12%
15%
23222120191817161514131211109876543210
BEC Distribution by Time of Day
24
Q3
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
62% of Business Email Compromise Scams Are Launched from Free Webmail AccountsIn the vast majority of cases, BEC attackers use free and temporary email accounts to launch their campaigns. During the last quarter, 62% of BEC emails were sent from an easily-acquired webmail account.
Money for Nothing, Attacks for FreeConsistent with previous trends, the email provider of choice for most attacks was Roadrunner (rr.com), accounting for 18.1% of all BEC campaigns. Gmail was a close second as the webmail provider used for sending 13.2% of BEC emails, followed by AOL at a distant third.
Look-alike Domains and Compromised Accounts Have Key BenefitsIn contrast to attacks launched from free webmail accounts, a third of BEC attacks were sent from email accounts hosted on a domain that was registered by the perpetrators.
While there is usually a cost associated with registering a domain, this approach does allow a scammer to create a more credible-looking email address, thus increasing the perceived legitimacy of the bogus email.
It’s likely the remaining five percent of BEC emails were sent from compromised accounts. It should be noted that regardless of the email account of origin, the display name associated with the email is almost always changed to impersonate a senior executive at the target organization, or a person at a partner or vendor company.
Top 10 Email Providers Used to Send BEC Emails
Roadrunner
Gmail
AOL
Naver
Lycos
18.1%
13.2%
4.6%
4.5%
3.7%
Cox
Earthlink
Virgin Media
Comcast
TWC
2.7%
2.5%
1.9%
0.9%
0.8%
1
2
3
4
5
6
7
8
9
10
5% Compromised or Spoofed Accounts
62% Free Webmail Providers
33% Registered Domains
Most Common Point-of-Origin
for BEC Scams
25
Q3
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Dirty Words: Top 10 Subject Lines for BEC AttacksShort and not-so-sweet. If you’ve ever wondered what a BEC email looks like, that pretty much sums it up. The message itself is usually brief, and is crafted to prompt an immediate response from the recipient. The subject lines are typically generic enough to avoid suspicion, but contain certain key words sure to garner attention.
Chief among them are “request,” “urgent,” and “task.” But it’s also worth noting that four of the top ten BEC subject lines leverage one of the simplest and most irresistible words in the English language—the recipient’s first name.
Top Ten Most Common Subject Lines in BEC Emails
[FIRST NAME]
Request
Task
Hello [FIRST NAME]
Payment
8.6%
7.1%
5.1%
3.3%
2.9%
Hi [FIRST NAME]
Update
Chore
[FIRST/LAST NAME]
Urgent
2.0%
1.9%
1.6%
1.5%
1.5%
1
2
3
4
5
6
7
8
9
10
26
Q3
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Your Name Here: Nearly 1 in 5 BEC Attacks Is PersonalizedThe use of the target’s first name in BEC attacks is quickly becoming less trend and more status quo. Nearly a fifth of BEC emails in the last quarter were personalized to include the recipient in the subject line. This level of personalization is meant to make the email seem more legitimate and lower the recipient’s guard.
It also shows the level of reconnaissance work some cybercriminals conduct prior to launching their malicious campaigns. Instead of simply scraping email addresses from company websites, some BEC groups meticulously curate target lists of specific executives and then use this data to construct personalized messages.
In fact, as our previous research has demonstrated, many BEC groups use commercial business intelligence services to construct tailored queries and collect comprehensive contact information for executives around the world—especially within financial services.
Some groups even appear to be using artificial intelligence to create fake emails that mimic the banter and writing style of trusted senders. According to news reports in the UK, a former MI5 agent is claiming that cybercriminal organizations are compromising email accounts using pilfered login credentials, and then deploying bots to scan the owner’s email archive to learn their personal writing style. They then launch phishing and BEC attacks from these trusted accounts, replicating the trusted sender’s own voice, and made all the more relevant by leveraging information specific to the target’s exchanges with the true account owner.
From
Messages
To
Subject Re: Sarah
I changed my bank and I’ll like to change my paycheck dd details, can the change be effective for the current pay date? Thanks,
< >
Personalized Subject Line Example Email
27
Q3
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Phishing Incident Response Trends
KE
Y F
IND
ING
S
As incident response becomes more manual, there is a 18% quarter over quarter increase in the time required for SOC analysts to respond to employee-reported phishing notifications.
Employees report an average 33,108 incidents annually, a 14% spike over the quarter.
With an increase in security awareness training, there is an expected 16% jump in false positives from employee-reported incidents.
28
Q3
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Incident Response Needs Increase SOCs Left Reeling as Employee-Reported Attacks Climb 14%With an estimated 22.9 phishing attacks launched every minute of the day, it is inevitable that an employee, perhaps several, will fall for a phishing email. When the costs associated with data breaches now average $11 million per incident for US companies, this is very unwelcome news.
According to Verizon’s 2019 Data Breach Investigations Report, over 90% of all breaches start with a phishing email. And Ponemon Institute estimates the probability of falling prey to at least one breach is now 14% per year. With higher volumes of reported attacks taking swamped SOCs longer to remediate, these estimates may ultimately prove optimistic. Worst of all, the fault may in part stem from the very instruments businesses are putting in place to minimize these same risks.
Employee Phishing Reporting Tools: How Best Intentions BackfireCall it the power of unintended consequences. In addition to security awareness training and phishing simulations, the vast majority of businesses now provide employees with the ability to report suspected phishing emails with push-button ease. More often than not, the result is a mountain of employee-reported phishing emails that bury SOCs with more incidents to investigate, triage, and remediate than they can handle.
But make no mistake: Employee reporting is a key mechanism for detecting and containing breaches before data is exfiltrated. The challenge is to find ways to best leverage this threat feed to become the critically-important asset it is. But that will require business to also find ways to streamline and automate the processes involved with remediating attacks. Otherwise, the time it takes to discover and resolve email attacks and subsequent breaches will only grow longer and more perilous as corporate data, intellectual property, and other competitive information is exfiltrated by cyberthieves and monetized in any number of nefarious ways.
29
Q3
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Inside the ACID Phishing Incident Response SurveyACID’s quarterly survey of SOC professionals at 280 organizations ranging in size from 1,000 employees to 209,000 employees is designed to gain insights on the incident response issues facing enterprises. This quarter’s survey participants include 175 respondents in the United States and 75 in the United Kingdom.
The survey asks a battery of questions regarding employee-reported phishing—including reporting mechanism, total volume, false positive rates, existing tools for phishing incident response, and time required to investigate phishing incidents. This section of the Q3 2019 Email Fraud and Identity Deception Trends report highlights analysis of these survey responses.
30
Q3
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Employee Reporting Tools Gaining Traction Survey Respondents Report More Reporting OptionsA full 98% of this quarter’s survey respondents say employees in their organizations have the ability to report phishing attacks, often via a convenient button and/or abuse inbox for forwarding suspicious emails to the SOC team. Ninety-five percent of last quarter’s survey respondents reported having this ability, reflecting a possible 3% increase in organizations utilizing these tools.
Meanwhile, respondents to this quarter’s survey indicate that 88% of their organizations use phishing simulations to test employees’ ability to detect a phishing attack after participating in security awareness training. The remaining 12% respondents report their organization does not conduct such tests. That’s a 4% drop compared to responses from participants in last quarter’s survey. Given last quarter’s survey reflected a 4% increase in organizations offering such tests, the combined surveys suggest adoption rate for phishing simulations is flat in 2019.
In most cases, phishing simulations are implemented via an outside vendor in order to provide an objective assessment of security vulnerabilities.
Training Employees to Report Phishing
2% No Ability to Report
98% Ability to Report
Ability to Report
Phishing
12% No
88% Yes
Phishing Simulation Adoption
31
Q3
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
How Employees Report Suspected AttacksEmployee phishing reporting doesn’t appear to be a one-size-fits-all proposition. While the most common mechanism available to employees to report phishing is an [email protected] inbox, most companies offer a mix of additional reporting methods, including filing a help desk trouble ticket, using the native email client phishing button, or implementing a third-party client such as the KnowBe4 phishing button.
Whether the phishing incident is reported through an inbox or a phishing button, the phishing email itself is forwarded to some combination of a security operations center or help desk support center for investigation and remediation. However, in some cases, the mail platform provider (Microsoft Office 365 or Gmail) or phishing simulation vendor also receives a copy of the reported phishing messages.
0
10
20
30
40
50
60
7065%
58%
43%39%
2%0%
OtherNo Abilityto Report
Email Client(Third-Party
Vendor)
Email Client(Native)
ContactHelp DeskDirectly
Forward toAbuse Email
Address
Employee Options to Report Phishing
32
Q3
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
0
5,000
10,000
15,000
20,000
25,000
30,000
35,000
UKUSGlobal
Q2 Q3
Average Number of Reported Phishing Incidents Per Organization Annually
Employee-Reported Incidents: Volume and AccuracyThe ability for employees to report suspected phishing incidents can be an important tool for SOC analysts. But just how many suspected attacks are reported? What about accuracy?
Based on the results to this quarter’s survey, respondents report roughly 33,108 phishing incidents per organization on an annual basis, with a slightly higher number of phishing incidents in UK-based companies—a reverse from last quarter’s survey results.
Employee-Reported Incidents: False Positive Rate Jumps 16%The suspect emails employees report are not always true phishing incidents. The fact is, security training can sometimes make users zealous enough to report any questionable email. As a result, spam, unwanted marketing emails, as well as legitimate email messages are often reported as phishing—even when they are not. Over the last quarter, the false positive rate for employee-reported phishing incidents jumped 16% on a global basis. In the United States, the rate rose from 56% to 65%, while the false positive rate in the United Kingdom saw no increase at all.
Employee-Reported Phishing False Positive Rate
0%
10%
20%
30%
40%
50%
70%
60%
UKUSGlobal
68%65%
26% 52%
Employee Reported Phishing False Positive RateAverage Number of Reported Phishing Incidents per Organization Annually
33
Q3
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Response Time Continues to Edge UpwardIt is expected that SOC analysts must triage, investigate, and remediate threats—whether they are false positives or true attacks. On a global basis, it now takes an average 6.4 hours to complete the process. In the United States, the rate is up nearly twenty minutes while in the United Kingdom, the rate is up more than half an hour.
On average, SOC analysts now spend 6.13 hours triaging a false positive, compared to 5.58 hours in the previous quarter. And they spend an average 7.31 hours triaging, investigating, and remediating a valid phish—an increase of over half an hour during the same time period.
Average Time per Phishing Incident to Triage, Investigate, and Remediate
0
1
2
3
4
5
6
7
8
UKUSGlobal
Average Time Per Phishing Incident to Triage, Investigate, and Remediate
True Phish
False Positive
Ho
urs
5.96
7.727.31
6.13 5.99 5.93
34
Q3
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Headcount Needs Up 44% in Just 12 Weeks Bombarded by an endless stream of phishing incidents, the average number of SOC analysts per organization topped 15.3 during the second quarter of 2019—up from 14.6 in the previous quarter.
More than 90% of organizations report having at least one dedicated SOC analyst. Not surprisingly, the analysis showed a strong correlation between company size, the number of phishing incidents, and the number of SOC employees.
For example, 41% of organizations with more than 10,000 employees have twenty or more SOC analysts. The same is true of organizations with 60,000 or more phishing incidents per year.
The Q3 Staffing GapBased on the average 33,108 phishing incidents organizations face annually, along with the average time to remediate these incidents, the average SOC needs 110 analysts working forty hours a week on nothing but incident response to successfully remediate all reported emails. But since the average number of SOC analysts in our survey is 15.3, that means there’s a staffing gap of at least 95 full-time employees. This gap currently results in failing to detect phishing incidents, which opens each organization to the possibility of breaches or fraud.
0
5
10
15
20
UKUSGlobal
15.316.6
12.9
30%
55%
Avg. Number of SOC Analysts Employed
# o
f A
nal
ysts
Average Number of SOC Analysts Employed per Organization
35
Q3
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Breachonomics Data Breach Risk Reductions from Automation Continue to GrowAccording to the 2019 Verizon Data Breach Investigations Report (DBIR), more than 90% of all data breaches begin with a well-targeted email. For US-based organizations, the average cost of each data breach is now $8.19 million, with a 14.8% probability of suffering at least one breach within the next year, according to Ponemon Institute. If you multiply the average breach cost of $8.19 million by the probability of 14.8%, the annual breach risk is $1.2 million.
Meanwhile, the Verizon DBIR finds that the average data breach results in exfiltration of data within minutes or hours—while it often takes months for the breach to be discovered. This is likely a symptom of understaffed and inefficient SOC processes for handling phishing incidents. Ideally, SOC analysts would be able to triage, investigate, and remediate reported phishing incidents within minutes, enabling the business to remediate the compromise and contain the breach.
This could easily save 90% of SOC analysts’ time, which could then be applied to far more important initiatives.
60%
40%
20%
0%
Seconds Minutes Hours Days Weeks Months Years
Exfiltration Discovery
Source: 2019 Verizon Data Breach Investigations Report
36
Q3
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
An Average 54% Reduction in Breach Risks EstimatedAs part of our quarterly phishing incident response survey, we asked respondents how much reducing the response time required for phishing incident response would reduce their breach risk. Overall, this quarter’s respondents felt their business could reduce breach risk by an average 54% by automating the process of phishing incident response.
In the United States, that figure rose 3% from the previous quarter, to an average 56% reduction in breach risk, while in the United Kingdom, estimates rose 4% during the same period, to an average 48% reduction. On a global basis, a 54% reduction in breach risk would result in a $654,545 decrease in annual breach risk for the average business.
0%
10%
20%
30%
40%
50%
60%
UKUSGlobal
54%56%
48%
Risk Reduction Due to Automated Phishing Incident Response
Risk Reduction Due to Automated Phishing Incident Response
37
Q3
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Totaling It Up: The Savings from Automation Based on the data captured in this quarter’s phishing incident response survey, it’s possible to establish the variables needed to estimate the cost of manually handling phishing incidents, average breach risk, and the potential cost savings of automating the process.
Using averages for all variables, the detailed calculations above show a total annual cost to the SOC of $9.9 million and an average annual breach risk of $1.2 million—for a total cost $11.1 million per company.
By implementing automated phishing incident response processes that reduce the time to triage, investigate, and remediate phishing incidents by 90%, and the time to discover and remediate data breaches by up to 54%, organizations could save $8.9 million in SOC costs and $654,545 in breach risk—for a total savings of $9.55 million annually.
SOC ANALYST COSTS
6.4 Hours per Phishing Incident x 33,108 Incidents = 211,891 Hours of SOC Analyst Time 211,891 Hours ÷ 1,920 FTE Hours per Year = 110 FTEs 110 FTEs x $90,000 per FTE = $9.9M per Year
SOC ANALYST SAVINGS $9.9M – 90% SOC Time Savings = $8.9M Savings per Year
BREACH RISK REDUCTION
$8.19M Average Breach Loss x 14.8% Probability = $1.2M Breach Risk $1.2M Breach Risk – 54% Risk Reduction = $654,545 Breach Risk Reduction
TOTAL SAVINGS $8.9M SOC Analyst Time Savings + $654,545 Breach Risk Reduction = $9.55M Total Savings
To calculate a custom ROI for your organization, visit www.agari.com/roi
38
Q3
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Consumer Phishing and DMARC Trends
KE
Y F
IND
ING
S
In a solid improvement, there is 13% growth in raw DMARC policies observed, up from a tepid 1% growth in the previous quarter.
The government sector retains its top position in percentage of organizations with email authentication as 81% of domains are at a p=reject policy.
BIMI gains popularity with 511 domains with an associated record, reflecting a 393% increase since last quarter’s measurement.
39
Q3
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
DMARC Adoption Snapshot The Industry’s Largest Ongoing Study of Adoption Rates WorldwideDomain-based Message Authentication, Reporting and Conformance (DMARC) is an open standard email authentication protocol that helps businesses protect their brands and domains from being used to send fraudulent phishing emails. In a snapshot of more than 328 million Internet domains—the largest of any industry survey—we break down the state of DMARC implementation worldwide from April 1 through June 30, 2019.
Why DMARC?DMARC gives brands control over who is allowed to send emails on their behalf. It enables email receiver systems to recognize when an email isn’t coming from a specific brand’s approved domains, and gives the brand the ability to tell the email receiver system what to do with those unauthenticated email messages.
Failing to implement DMARC at p=reject results in an easily identifiable vulnerability. Cybercriminals often spoof legitimate domains in order to send large volumes of phishing attacks targeting the domain owner’s customers and partners. The ripple effect can be significant. The domain may suffer reputational damage, resulting in being blacklisted by some receiver infrastructures, or experience reduced deliverability rates for legitimate email, hurting email-based revenue streams. The effects may first show up in complaints that outgoing emails aren’t reaching recipients, often bouncing or being filtered by spam filters.
For more information on DMARC adoption and its benefits, visit www.agari.com/dmarc-guide
0
1,000,000
2,000,000
3,000,000
4,000,000
5,000,000
6,000,000
7,000,000
8,000,000
June 2019Mar 2019Dec 2018Sept 2018
Domains with DMARC Policies
Block (p=reject)QuarantineMonitor (p=none)
40
Q3
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Brands looking to deploy DMARC are advised to start with a p=none policy and work up to the p=reject policy through a well-defined DMARC implementation plan. When enforcement policies are set properly, DMARC has been shown to drive down phishing rates impersonating brands to near zero.
Adoption Up 13% WorldwideBy crawling the entire public Internet domain space representing over 328 million domains, ACID was able to generate its latest snapshot of DMARC implementation rates worldwide from April through June 2019. Overall, there was 13% growth in the DMARC adoption rate, compared to just 1% growth in the previous quarter.
41
Q3
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Vendor Scorecard How DMARC Service Providers CompareEach quarter, we assess how vendors and DMARC service providers are helping organizations leverage DMARC to protect their domains from email impersonation scams. The size of our dataset offers an unprecedented view into the number of domains for which vendors have established DMARC records, as well as how many of those records have been set to the highest enforcement level of p=reject. This combination of data points offers a snapshot of market share and success rates for each of these vendors.
How the Scorecard WorksAs a shorthand to determining a market share figure, we tabulated the number of times specific, well-known DMARC implementation vendors were specified as a recipient of reporting feedback via DMARC. The “rua” field that accepts an email address to receive aggregate DMARC data reports is a good proxy for this calculation. With this email address, the DMARC vendor typically accepts, parses, and visualizes the data on behalf of the customer. We included active vendors with more than 1,000 domains reported.
Q3 Vendor Rankings by Total Share of Domains and Percentage of Domains with Reject PoliciesThe chart shown on the next page provides a basic ranking of top vendors, corresponding to the number of domains that specify that particular vendor in the “rua” field. We then apply a second filter indicating the all-important percentage of domains at the highest possible DMARC enforcement policy setting of p=reject for each vendor, which is the policy level that will block phishing messages from ever reaching the end user.
42
Q3
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Assessing Vendor AttributesTHE SWEET SPOT: Category-leading vendors achieve that perfect combination of a large number of domains serviced across a wide range of industries matched with high levels of top enforcement policy implementation. Finding a company that has high marks in both is essential for those organizations looking to see success with DMARC implementation.
HIGHER QUANTITIES CAN SEE LOWER ENFORCEMENT: The “Goldilocks” ratio can be harder to achieve for mid-tier vendors, which tend to struggle with the ratio of domains they service and what percentage of those records they succeed at converting to the highest enforcement policies. Category leaders with high numbers of enterprise clients can face this challenge as well, as it is harder to have more enterprise domains set to reject.
QUALITY VARIES WILDLY: Less than 1% of the domains that deployed DMARC are using a recognized DMARC provider, and about 6 million domains have DMARC deployed without using a major DMARC service provider. When selecting a vendor, enterprises with hundreds or thousands of domains should consider vendors that have both high numbers of domains and a high-percentage enforcement rate in order to better ensure success.
DMARC Policy Observations Over Q2 2019
80%
64%
48%
32%
16%
0%0
40000
80000
120000
160000
200000
Barra
cuda
Network
s
Retur
n Pat
h
Valim
ail
250ok
MXTo
olbox
Postm
arka
pp
DMARC A
nalyz
er
Proofp
oint
Dmar
cian
Agari
# D
om
ain
s M
anag
ed
Domains Managed
Domains w/ Reject Policy
DMARC Policy Observances Over Q2 2019
% R
ejec
t P
olic
y
80%
64%
48%
32%
16%
0%0
40000
80000
120000
160000
200000
Barra
cuda
Network
s
Retur
n Pat
h
Valim
ail
250ok
MXTo
olbox
Postm
arka
pp
DMARC A
nalyz
er
Proofp
oint
Dmar
cian
Agari
# D
om
ain
s M
anag
ed
Domains Managed
Domains w/ Reject Policy
DMARC Policy Observances Over Q2 2019
% R
ejec
t P
olic
y
43
Q3
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
DMARC Breakout Session Email Authentication Grows, Reject Policies Still Not Enforced Each quarter, ACID examines the state of DMARC adoption by key geographies. As measured by domains for which a country code can be validated, this data encompasses roughly 50% of our total pool of analyzed domains worldwide.
Germany and the US Remain DMARC LeadersConsistent with our last report, Germany leads all geographies in registered domains with established DMARC records, and the vast majority of domains for which a country code can be correlated. However, most DMARC records here are at the default, monitor-only setting. By contrast, while the United States lags Germany in country-coded domains assigned DMARC records, it ranks first in the number of DMARC records with established p=reject domains.
Reasons for the disparity are unclear. But one possibility is that registrars in Germany may assign DMARC records as a default as an added feature for customers acquiring domains.
According to MediaPost, suspicious emails make up only 0.2% of the total email volume sent within the US, while 76% of all emails sent within Germany are considered suspect. It’s possible that a domain-with-DMARC record bundle from registrars is attractive to customers hoping to move quickly on securing new email domains.
0
500,000
1,000,000
1,500,000
2,000,000
TRPLESUKIEFRRUNLUSDE
Top 10 Countries with DMARC Policies
Top 10 Countries with DMARC Policies at p=reject
0 50K 100K 150K 200K 250K
CO
BR
FR
NO
UK
RU
IE
DE
NL
US
44
Q3
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
DMARC Adoption Trends Among the World’s Most Prominent Companies Our quarterly assessment of publicly available adoption data for the Fortune 500, Financial Times Stock Exchange 100 (FTSE 100), and Australian Securities Exchange 100 (ASX 100) highlights trends among prominent organizations across geographies.
The charts on the next few pages offer a snapshot of DMARC adoption trends among some of the world’s most prominent corporations. It’s important to note that even companies that have assigned DMARC records to their domains are not truly protected unless they are set to the highest level of enforcement. The sizable proportion of “no record” and “monitor only” policies showcases that these organizations can still be impersonated in phishing campaigns that put their customers, investors, and the general public at risk of serious financial harm.
The charts capture:
ADOPTION: The percentage of organizations with DMARC policies versus those without any DMARC record.
MONITOR: Domains possessing DMARC records with a monitor-only policy, which allows organizations to see who is sending emails on their behalf, but does nothing to block those emails from hitting end user inboxes.
QUARANTINE: Domains possessing DMARC records with a quarantine policy that sends phishing emails to the spam folder.
REJECT: Domains possessing DMARC records with the reject policy needed to block phishing attempts impersonating their brands.
45
Q3
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
0
20
40
60
80
100
Reject
Quarantine
None
No Record
June 2019Mar 2019
42%
11%
44%
39%42%
Fortune 500 DMARC Adoption
12%
Dec 2018Sept 2018
33%
7%
39%
10%
46%59%
The Fortune 500: 83% of Companies at Risk for ImpersonationThe Fortune 500 is an annual list compiled and published by Fortune magazine that ranks 500 of the largest United States corporations by total revenue for their respective fiscal years. The list includes publicly held companies, along with privately held companies for which revenues are publicly available. It is a good indicator for how security is trending among large companies.
Just under 40% of the Fortune 500 have no DMARC records at all assigned to their domains, while 44% of those that do have yet to set a policy.
It’s worth noting, however, that Fortune 500 companies with an established policy does continue to grow, albeit at a glacial pace.
Currently, only 12% of the Fortune 500 is completely protected against phishing-based brand impersonation attacks that put their customers, the public, and their investors at risk.
The percentage of companies with a quarantine policy, which sends phishing emails to the spam folder rather than the inbox, has stayed the same over the previous quarter.
46
Q3
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
0
20
40
60
80
100
Reject
Quarantine
None
No Record
June 2019Mar 2019
36%
14%
40%
16%
43%49%
FTSE 100 DMARC Adoption
Dec 2018Sept 2018
33%
7%
35%
11%
53%59%
FTSE 100: DMARC Adoption Up, Though 83% of Companies UnprotectedThe Financial Times Stock Exchange 100 Index, more commonly known as the FTSE 100, is a share index of the top 100 companies listed on the London Stock Exchange. It is seen as the benchmark reference for those seeking an indication on the performance of major companies in the United Kingdom.
The FTSE moved fast during the second quarter, with sixteen companies now fully protected by email authentication—an increase of two over the previous quarter.
Meanwhile, 83% of companies on the exchange remain unprotected against email-based brand impersonation—down from 94% two years ago.
DMARC adoption in the FTSE 100 is improving, but more needs to be done, and much faster, to ensure business’s brand identities are not being used in attacks against consumers, partners, and other organizations.
47
Q3
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
0
20
40
60
80
100
Reject
Quarantine
None
No Record
June 2019Mar 2019
36%
7%
55%
37%
8%
53%
ASX 100 DMARC Adoption
Dec 2018Sept 2018
33%
7%
35%
7%
56%59%
ASX 100: 92% of Australia’s Top Companies Leaving Customers at RiskThe ASX 100 is Australia’s stock market index, representing its top 100 large and mid-cap securities. And today, just eight of those companies has implemented DMARC with the reject policy needed to block fraudsters from impersonating their brands.
Over half of companies here have yet to take the first step in protecting their brand identities from being pirated in email attacks targeting customers—showcasing how few Australian organizations are thinking about email security.
One point of hope is that one additional company moved to a reject policy this quarter for the first time in three quarters.
48
Q3
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
DMARC Adoption by Industry VerticalOur quarterly analysis of DMARC adoption is based on public DNS records for primary corporate and government website domains of large organizations with revenues above $1 billion.
The US government remains the hands down the leader in DMARC policy attainment across all major sectors this past quarter, with 81% of domains attaining DMARC implementation at a p=reject enforcement policy. But it’s worth noting that progress was seen across all sectors, with the percentage of domains without DMARC records dropping between 3-5% depending on the industry vertical.
While the percentage of DMARC records without policies bumped up, likely due to increased numbers of domains overall, so did the percentage of DMARC implementations at a p=reject enforcement policy. Excluding government’s already high enforcement levels, all industry verticals in the index saw increases in p=reject enforcement policies of between one-half to 1%, with healthcare leading the way.
0
20
40
60
80
100
RetailHealthcareOtherTechFinanceUS Gov
15% 46%
34%
40%
43%
46% 53% 57%
35%38%
41%
3%
DMARC Policy and Enforcement Trends for Key Industries
81% 16% 8% 7% 5% 4%
Reject
Quarantine
None
No Record
49
Q3
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
The Agari Advantage: Industry Enforcement Comparison Data in the Agari Email Threat Center enables us to understand how enforcement rates across industries compare with those of Agari customers.
Aggregating real-time DMARC statistics from the domains of top banks, social networks, healthcare providers, major government agencies, and thousands of other organizations, the Agari Email Threat Center is the largest set of detailed DMARC data in the world based both on email volume and domains. To generate real-time threat intelligence, the Agari Email Threat Center analyzed more than 350 billion emails from over 20,500 domains from April through June 2019.
Government Retakes the Reins as Retail Rises FastSegmenting by the same industry groupings presented in the previous section, we compare the respective enforcement levels for each vertical category with that of Agari customers.
During the second quarter of 2019, Retail leapfrogged last quarter’s leader, Healthcare. But both were surpassed by Government, which reclaimed the first spot in the percentage of domains at enforcement.
Healthcare’s gains have been driven by the National Health ISAC, which issued a companion pledge for DMARC attainment to match the US Government’s Binding Operational Directive 18-01. First issued in October 2017, BOD 18-01 has helped propel Government to record high DMARC implementations at full p=reject enforcement.
But the gains achieved by Agari’s Retail sector clients is eye-popping in its own right—increasing DMARC records set to the top enforcement level by 8% in just ninety days. As retailers expand the number of online channels from which they market merchandise, cybercriminals have been increasingly targeting the sector. And with the end of summer and the all-important 2019 holiday shopping season coming fast, it’s clear retailers want to be ready for whatever fraudsters throw their way.
Percentage of Domains at Enforcement
0
20
40
60
80
100
Agari CustomersGlobal
RetailHealthcareOtherTechFinanceUS Govt
4%
76%
8%
60%
16%
67%
81%
88%
7%
62%
5%
75%
Note: The Agari Email Threat Center tracks authentication statistics across active domains belonging to customers of Agari. Passive or defensive domains that do not process email will not be reflected in the totals.
50
Q3
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Brand Indicators Adoption BIMI Skyrockets Nearly 400% in Just Ninety DaysBrand Indicators for Message Identification (BIMI) is a standardized way for brands to publish their brand logo online with built-in protections that safeguard against attempts to spoof the logo.
Brands such as Groupon, Air Canada, eBay, and Capital One are just a handful of the household names that use BIMI to display their logo next to their email messages—enhancing brand presence as well as the ability for brands to control the logo that is displayed. BIMI will work only with email that has been authenticated through the DMARC standard and for which the domain owner has specified a DMARC policy of enforcement, so only authenticated messages can be delivered.
Q3 Snapshot: 393% Growth in Brand AdoptionAs of June, 511 domains added BIMI records alongside their top level domains, and any number of additional subdomains. This is up from 130 logos in March, making for a 393% increase in just twelve weeks, showcasing the growing importance of this standard.
It’s worth noting that smaller brands seeking to leverage the tremendous brand presence BIMI affords their logos by displaying them prominently within email clients, make up a significant portion of the adoption increases. Look for this to precipitate faster growth among major brands aiming to avoid being outpaced by challenger brands, especially as Google has announced a BIMI pilot program beginning in early 2020.
Because of its ability to help increase brand exposure and visibility even while protecting against brand impersonations, it may soon be considered a “must-have” for brand email campaigns everywhere.
For more information about BIMI, visit: bimi.agari.com
51
Q3
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
About This ReportThis report contains metrics from data collected and analyzed by the following sources:
Aggregate Advanced Threat Protection DataFor inbound threat protection, Agari uses machine learning—combined with knowledge of an organization’s email environment—to model good or authentic traffic. Each message received by Agari is scored and plotted in terms of email senders’ and recipients’ identity characteristics, expected behavior, and personal, organizational, and industry-level relationships. For the attack categorization analysis, we leveraged anonymous aggregate scoring data that automatically breaks out identity deception-based attacks that bypass upstream SEGs into distinct threat categories, such as display name deception, compromised accounts, and more.
Phishing Incident Response TrendsThis report presents results from a custom survey conducted by Agari during June 2019. The following charts summarize the demographics and location of the respondents.
Global DMARC Domain AnalysisFor broader insight into DMARC policies beyond what we observed in email traffic targeting Agari’s customer base, we analyzed 328,540,568 domains, ultimately observing 7,671,752 domains with recognizable DMARC policies attached. This constantly updated list of domains serves as the basis for trend tracking in subsequent reports.
Respondent Characteristics
34% (95)UK
66% (181)US
Country
23% (65)10K+
53% (151)1–5K
24% (70)5–10K
Company Size
52
Q3
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
About the Agari Cyber Intelligence Division (ACID)The Agari Cyber Intelligence Division (ACID) is the only counterintelligence research team dedicated to worldwide BEC and spear phishing investigation. ACID supports Agari’s unique mission of protecting communications so that humanity prevails over evil. ACID uncovers identity deception tactics, criminal group dynamics, and relevant trends in advanced email attacks. Created by Agari in 2018, ACID helps to impact the cyber threat ecosystem and mitigate cybercrime activity by working with law enforcement and other trusted partners.
Learn more at acid.agari.com
About AgariAgari is transforming the legacy Secure Email Gateway with its next-generation Secure Email Cloud™ powered by predictive AI. Leveraging data science and real-time intelligence from trillions of emails, the Agari Identity Graph™ detects, defends, and deters costly advanced email attacks including business email compromise, spear phishing, and account takeover. Winner of the 2018 Best Email Security Solution by SC Magazine, Agari restores trust to the inbox for government agencies, businesses, and consumers worldwide.
Learn more at www.agari.com
© 2019 Agari Data, Inc.
AGARI CYBERINTELLIGENCE DIVISION
View the 2020 Presidential Campaign Email Threat Index
To see the latest information on which candidates have implemented email security for their campaigns, visit: www.agari.com/election2020
Visit the Agari Threat Center
To see up-to-date global and sector-based DMARC trends across the Agari customer base, visit: www.agari.com/threatcenter
Calculate the ROI of Implementing Agari
To discover how much money you can save by adding Agari to your email security environment, visit: www.agari.com/roi
Discover How Agari Can Improve Your Current Email Security Infrastructure
As your last line of defense against advanced email attacks, Agari stops attacks that bypass other technologies—protecting employees and customers, while also enabling incident response teams to quickly analyze and respond to targeted attacks.
Get Free Trial www.agari.com/trial
